Getty Images/iStockphoto

OCR Settles with 5 Providers Over HIPAA Right of Access Violations

OCR closed investigations into HIPAA right of access violations at Housing Works, All Inclusive Medical Services, Beth Israel Lahey Health Behavioral Services, King MD, and Wise Psychiatry.

The Office for Civil Rights closed investigations and announced settlements with five providers over separate HIPAA right of access violations, which brings the total number of enforcement actions under its 2019 initiative to seven. 

According to the announcement, All Inclusive Medical Services, Beth Israel Lahey Health Behavioral Services, King MD, and Wise Psychiatry have all settled with OCR for failing to adhere to the right of access rule. 

Announced in early 2019, OCR’s HIPAA right of access initiative strictly enforces the right of patients to obtain access to their medical records in a timely fashion, for a reasonable fee, and in their requested format. 

Timely, as studies revealed that more than half of healthcare entities fail to comply with the HIPAA provision. Bayfront Health St. Petersburg in Florida was the first provider to settle with the agency under the initiative for $85,000 in September 2019, followed by Korunda Medical in December 2019. 

“Patients can't take charge of their health care decisions, without timely access to their own medical information," OCR Director Roger Severino, said in a statement. "Today's announcement is about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough.” 

All Inclusive Medical Services

OCR launched an investigation into All Inclusive Medical Services (AIMS), a California-based multi-specialty family medicine clinic, in April 2018, after a patient filed a complaint that alleged AIMS refused to provide the patient with access to her medical records, denying her requests to inspect and receive a copy of her records. 

The investigation determined that AIMS failed to provide the patient with access to inspect the records and to obtain a copy of protected health information in a designated record set. While not an admission or concession of guilt, AIMS will pay OCR $15,000 to resolve the case. 

AIMS has also entered into a corrective action plan with OCR that will require the provider to develop, maintain, and revise its written privacy policies and procedures to comply with the HIPAA rule within 90 days, which will be distributed to the entire AIMS workforce. 

OCR will also require AIMS to train its workforce on its new policies and procedures, providing OCR with annual reports. 

Beth Israel Lahey Health Behavioral Services 

In the case of Northeast Behavioral Health Corporation, doing business as Beth Israel Lahey Health Behavioral Services (BILHBS), the provider will pay OCR $70,000 and adopt a corrective action plan to resolve the potential right of access violation. 

OCR received a complaint against BILHBS in April 2019 that claimed the provider failed to timely respond to a request from a personal representative seeking access to her father’s medical records in February 2019. 

The investigation found that the records were not provided to the representative until October 28, 2019 -- eight months later. To settle the potential violation, BILHBS will pay the monetary penalty and has entered into a corrective action plan with OCR. 

BILHBS must develop, maintain, and revise, as necessary, written policies and procedures that comply with the HIPAA privacy rule for individually identifiable health information, including reviewing and updating the policies for access to PHI, safeguarding designated record sets, and protocols for training its workforce involved with receiving or fulfilling access requests to ensure compliance with HIPAA. 

OCR has also required BILHBS to apply appropriate sanctions to its workforce members who fail to adhere to these policies and procedures and provide OCR with annual reports on its implementation. 

King MD 

The settlement between OCR and King MD stemmed from a patient complaint that claimed the small Virginia-based provider failed to respond to an August 2018 patient’s request for access to her medical records. 

The first complaint was filed with OCR in October 2018. The provider was given technical assistance on HIPAA right of access requirements, which closed the complaint. However, OCR received a second complaint in February 2019 that alleged the provider still had not given the patient access to their medical records. 

A second OCR investigation into King MD found potential HIPAA right of access violations. As a result of the investigation, King MD sent the patient a copy of her medical records in July 2020. To resolve the complaint, the provider will pay OCR $3,500 and enter into a corrective action plan. 

Much as with the other CAPs, King MD will need to revise its policies and procedures around the right of access rule. King MD’s CAP also requires the provider to identify methods for calculating costs for the labor to copy access to PHI, whether in paper or electronic form, supplies for creating the PHI media, postage, and preparation of an explanation or summary of PHI, if requested. 

King MD must also train its workforce on the policies and provide OCR with an annual report. 

Wise Psychiatry 

For Wise Psychiatry, the OCR settlement stems from a February 2018 patient complaint that alleged the provider failed to give a patient’s personal representative with access to his minor son’s medical records. 

Access was first requested in November 2017, and OCR gave Wise technical assistance on right of access requirements, thus closing the complaint in April 2018. However, a second complaint was filed in October 2018 that claimed Wise still had not provided the representative with access to the records. 

The investigation spurred Wise to provide access in May 2019. However, Wise will also pay OCR $10,000 and enter into a CAP to resolve these potential violations. 

“Wise Psychiatry recently adopted written policies and procedures titled, ‘Patients Request for Records’ which comply with the Federal standards that govern the privacy of individually identifiable health information,” according to the agreement. 

Those policies must be distributed to the workforce with signed confirmation, to be followed with training of all employees and business associates. The training must be provided annually. 

Housing Works 

The fifth settlement was between OCR and Housing Works, a New York City-based nonprofit provides healthcare, homeless services, advocacy, job training, reentry services, and legal aid support for those living with and affected by HIV/AIDS. 

OCR received a complaint in July 2019 that claimed Housing Works failed to provide a patient with a copy of his medical records. After providing Housing Works with technical assistance on HIPAA right of access requirements, OCR closed the complaint. 

But in August 2019, the patient filed a second complaint with OCR that alleged the provider still had not provided the patient with his records. A second investigation was launched, which found the failure to provide the patient with the request records was a potential violation of HIPAA. 

The patient finally received his medical records in November 2019, as a result of the investigation. OCR has now settled with Housing Works for $38,000, and the provider has agreed to enter into a CAP, which requires leadership to revise its policies and procedures for right of access requirements. 

Housing Works must also train its workforce on both the privacy requirements for access to PHI and access request status requirements, providing OCR with annual reports. 

OCR stressed that these five settlements are designed to send a message about the importance of a patient’s right to access their medical records and the necessity of complying with the HIPAA rule. 

“OCR considers a variety of factors in determining the amount of a settlement including the nature and extent of the potential HIPAA violation,” officials explained. “The nature and extent of the harm resulting from the potential HIPAA violation; the entity's history with respect to compliance with the HIPAA Rules; the financial condition of the entity, including its size and the impact of the COVID-19 public health emergency; and other matters as justice may require.”

Next Steps

Dig Deeper on HIPAA compliance and regulation